Considerations in your IAAM journey - Part I: Who does what

In case you missed part 0 in this series, you may want to brush up on how a good IAAM system should work before reading on. 


The hardest part of standing up an IAAM system is around the people and process, not the technology.  So, let’s start there because if we can’t get this done right, your IAAM project is going to fail.

Let’s begin with the end in mind, as the Lean methodology would have us do. An IAAM solution is designed to do two things, essentially:

  1. Protect your applications and data. 
  2. Prove you’re protecting your applications and data. To do that you need a handful of major pieces of an IAAM solution set.

The first major piece is a provisioning system (your provisioning system will probably also include a de-provisioning system, but we’ll get to that later), which is what you need to bring new folks on board.  And, when I say “folks,” I mean everyone — FTE’s, contractors, volunteers, students, rotating clinicians, non-affiliated providers, and more.

This is important. You can’t protect the applications from your FTEs and call it a day.  You don’t need me to tell you that you have tons and tons of different type of folks accessing your applications and data.  And, because you do, you need to have those folks in your IAAM system. The real hard/controversial part of this is the “who does what” part. That is, who is responsible for managing, or at least knowing about, these non-FTE employees?

I’ve been through this discussion at three different places now and have talked with a ton of other folks, given the nature of my role at Imprivata, about how they do this. The most successful implementations that I’ve seen and have been a part of have…sorry HR…involved HR stepping up to the plate and taking full ownership of everyone that’s on your campus both physically and logically. One of my HR SVPs told me once when I gently approached him about this, “Wes, HR does Human capital management – that’s all the humans that touch our systems or locations, not just FTE capital management.”  As you can imagine, that was one of the easiest implementations I ever got to do.

So, priority number one in my book is establishing who — what department — is responsible for management of all the incoming, and outgoing, people at your organization. You’ll hear some rationalizations that “if I put them in Workday I have to pay for their license.” This is true, but nobody said you had to put them in your HR system, just that HR has to initiate their on/off boarding. Heck, you can use your IAAM system to hold/manage those non-employee entities for that matter. HR can use any number of methods for generating the provisioning of the accounts (ServiceNow comes to mind on this) that your IAAM system manages. Your HR system doesn’t even have to be part of the process.

Fundamentally, you are IT. You help manage the digital identities and your tool even creates those digital IDs. But it’s data from HR, or whomever you decide owns this process, that is used to create the digital IDs you manage.

Next up: Role Based Access Control (RBAC) the Unicorn of IAAM…or is it?